> 2FA is a major pain in my ass and it is the only reason why I am forced to own and use a "modern smartphone" which is essentially a corporatist surveillance device.
TOTP-compliant services happily accept codes generated from non-mobile devices. 1Password even includes it (which is a unification of factors I don't personally trust, so I don't use it, but it's there if it fits your own threat model). They can also run on Android, etc. devices that literally-not-figuratively never touch the Internet, if device separation is a concern for you.
If your hangup is Duo or Okta or similar--well, there's always the choice not to work at places that necessitate them for 2FA.
> If more organizations just allowed me to have custodianship over my own keys like GPG for example, I could choose my own level of security by using a GPG smartcard if I wanted to.
Even developers don't want to touch GPG. That's why they don't and a large part of why things like Git commit signing are (IME) so rare.
I use Okta and it supports webauthn/fido just fine, seemingly by default, including touch id (or any standard USB key). If it does not, it's because your SSO administrator is intentionally turning it off.
Okta does not have my phone number or an app installed. I do not ever want to be pushed an approval, because I don't know who or what triggered it. I only want to proactively authenticate.
Yeah, pretty much. I explicitly want 2FA with a real 2FA factor on all of my services and all of my machines, but my caveat is that it has to be in my custody - yubikey, totp (not ideal but I do hold an encrypted back up of my seeds that I physically refresh sometimes), fido2, smart card, etc.
Push no. Push on a personal device even more no. SMS and phone absolutely FUCK NO for any reason.
TOTP-compliant services happily accept codes generated from non-mobile devices. 1Password even includes it (which is a unification of factors I don't personally trust, so I don't use it, but it's there if it fits your own threat model). They can also run on Android, etc. devices that literally-not-figuratively never touch the Internet, if device separation is a concern for you.
If your hangup is Duo or Okta or similar--well, there's always the choice not to work at places that necessitate them for 2FA.
> If more organizations just allowed me to have custodianship over my own keys like GPG for example, I could choose my own level of security by using a GPG smartcard if I wanted to.
Even developers don't want to touch GPG. That's why they don't and a large part of why things like Git commit signing are (IME) so rare.